In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.
Recently we have been finding a lot of vulnerabilities in WordPress plugins through monitoring our websites for what look to be requests related to hacking attempts. That has lead to these plugins either being fixed or pulled from the Plugin Directory so that more websites are not made vulnerable. Us getting the plugin removed from the Plugin Directory obviously doesn’t do anything for people already running it, so WordPress should final take up our suggestion to warn about the fact the they removed a plugin for a security issue. In the meantime even if you don’t use our service you can get warned about plugins like this with our Plugin Vulnerabilities plugin, since even without being signed up for the service you get warned about vulnerabilities in plugins we are seeing hacking attempts against.